分类: C/C++
2008-12-05 16:46:23
标 题:Source Insight 3.5 算法简单分析
发信人:wzh123
时 间:2003年10月17日 10:51
周详信息:
Source Insight 3.5 算法简单分析
cracker:wzh123
下载:
简
介:是个C++研发环境,有着和Dev
c++相同漂亮的界面,提供代码的编辑和察看功能,具有丰富的语法加亮功能,能像VC相同自动弹出成员函数的提示,并具有快速方便的函数跳转功能(不过跳
转速度似乎有点慢)。只是默认设置不适合时,需要仔细的调整和修改。无法查找经typedef之后的名字。
作者申明:只是学习,无其他 目的。初学破解,错误在所难免,写的也非常乱,请各位包涵,也请各位高手指教。好久没玩破解了,手都生了,逮个简单的练练手。这个软件是vc编的,无壳, 算法不难,用W32dasm反编译能非常快定位到关键点,然后可用ollydbg下断。输入假码“SI3US-123456-78901”,为什么这样输 入,经过分析你就能知道了,一下是我跟踪后做的笔记,非常粗,但基本上反映了整个注册的流程。
标 题:Source Insight 3.5 算法简单分析
发信人:wzh123
时 间:2003年10月17日 10:51
周详信息:
Source Insight 3.5 算法简单分析
cracker:wzh123
下载:
简
介:是个C++研发环境,有着和Dev
c++相同漂亮的界面,提供代码的编辑和察看功能,具有丰富的语法加亮功能,能像VC相同自动弹出成员函数的提示,并具有快速方便的函数跳转功能(不过跳
转速度似乎有点慢)。只是默认设置不适合时,需要仔细的调整和修改。无法查找经typedef之后的名字。
作者申明:只是学习,无其他 目的。初学破解,错误在所难免,写的也非常乱,请各位包涵,也请各位高手指教。好久没玩破解了,手都生了,逮个简单的练练手。这个软件是vc编的,无壳, 算法不难,用W32dasm反编译能非常快定位到关键点,然后可用ollydbg下断。输入假码“SI3US-123456-78901”,为什么这样输 入,经过分析你就能知道了,一下是我跟踪后做的笔记,非常粗,但基本上反映了整个注册的流程。
:00445D7C 683CC85800 push 0058C83C
:00445D81 E8AC4EFFFF call 0043AC32
:00445D86 683CC85800 push 0058C83C
:00445D8B E81E1D0D00 call 00517AAE
:00445D90 59 pop ecx
:00445D91 683CC85800 push 0058C83C =======>假码入栈
:00445D96 E848C6FFFF call 004423E3 =======>关键call(1),追入
:00445D9B 85C0 test eax, eax =======>比较eax是否为零
:00445D9D 7450 je 00445DEF =======>是0就跳,失败
:00445D9F 683CC85800 push 0058C83C =======>不为0,成功,写入注册表
* Possible StringData Ref from Data Obj ->"SerialNumber"
|
:00445DA4 683C5A5600 push 00565A3C
:00445DA9 FF355C025700 push dword ptr [0057025C]
:00445DAF E8FADDFEFF call 00433BAE =======>写注册表
:00445DB4 85C0 test eax, eax
:00445DB6 751B jne 00445DD3 =======>注册表写成功就跳
* Possible StringData Ref from Data Obj ->"You need permission to modify "
->"the HKEY_LOCAL_MACHINE registry "
->"hive.
Please run Source Insight "
->"again while logged in as an Administrator "
->"or equivalent user."
|
:00445DB8 6820BE5200 push 0052BE20
:00445DBD E81022FCFF call 00407FD2
:00445DC2 59 pop ecx
:00445DC3 68E8030000 push 000003E8
* Reference To: KERNEL32.Sleep, Ord:0329h
|
:00445DC8 FF15DC325200 Call dword ptr [005232DC]
:00445DCE E9C0FEFFFF jmp 00445C93
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00445DB6(C)
|
:00445DD3 832524C8580000 and dword ptr [0058C824], 00000000
:00445DDA E8B9BAFFFF call 00441898
* Possible StringData Ref from Data Obj ->"Thank you for registering Source "=====>哈哈,成功之门
->"Insight!"
|
:00445DDF 68C0BE5200 push 0052BEC0
:00445DE4 E82923FCFF call 00408112
:00445DE9 59 pop ecx
:00445DEA 6A01 push 00000001
:00445DEC 58 pop eax
:00445DED EB1D jmp 00445E0C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00445D9D(C)
|
* Possible StringData Ref from Data Obj ->"You typed an invalid serial number."====>失败
|
:00445DEF 68ECBE5200 push 0052BEEC
:00445DF4 E8D921FCFF call 00407FD2
:00445DF9 59 pop ecx
:00445DFA 68E8030000 push 000003E8
* Reference To: KERNEL32.Sleep, Ord:0329h
|
:00445DFF FF15DC325200 Call dword ptr [005232DC]
:00445E05 E989FEFFFF jmp 00445C93
===================关键call(1)======================
:004423E3 55 push ebp
:004423E4 8BEC mov ebp, esp
:004423E6 83EC18 sub esp, 00000018
:004423E9 57 push edi
:004423EA 6A2D push 0000002D =======> "-"入栈
:004423EC FF7508 push [ebp+08] =======> 假码"SI3US-123456-78901"入栈
:004423EF E89C460D00 call 00516A90 =======>这个call检查输入的注册码中是否含"-"
:004423F4 59 pop ecx
:004423F5 59 pop ecx
:004423F6 8945F8 mov dword ptr [ebp-08], eax
:004423F9 837DF800 cmp dword ptr [ebp-08], 00000000
:004423FD 7507 jne 00442406 =======>这里要跳,否则失败,所以注册码中含"-"
:004423FF 33C0 xor eax, eax
:00442401 E905010000 jmp 0044250B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004423FD(C)
|
:00442406 8B55F8 mov edx, dword ptr [ebp-08] =======>"-123456-78901"=>edx
:00442409 2B5508 sub edx, dword ptr [ebp+08]
* Possible StringData Ref from Data Obj ->"SI3US"
|
:0044240C BFD42F5600 mov edi, 00562FD4 =======>"SI3US"=>edi
:00442411 83C9FF or ecx, FFFFFFFF
:00442414 33C0 xor eax, eax
:00442416 F2 repnz
:00442417 AE scasb
:00442418 F7D1 not ecx
:0044241A 49 dec ecx
:0044241B 3BD1 cmp edx, ecx ======>上面这一段为了说明注册码的格式,即注册码的第一部分有五位
:0044241D 7407 je 00442426 =======>要跳
:0044241F 33C0 xor eax, eax
:00442421 E9E5000000 jmp 0044250B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044241D(C)
|
* Possible StringData Ref from Data Obj ->"SI3US"
|
:00442426 BFD42F5600 mov edi, 00562FD4
:0044242B 83C9FF or ecx, FFFFFFFF
:0044242E 33C0 xor eax, eax
:00442430 F2 repnz
:00442431 AE scasb
:00442432 F7D1 not ecx
:00442434 49 dec ecx
:00442435 51 push ecx
* Possible StringData Ref from Data Obj ->"SI3US"
|
:00442436 68D42F5600 push 00562FD4 =======>"SI3US"入栈
:0044243B FF7508 push [ebp+08] =======>假码"SI3US-123456-78901"入栈
:0044243E E88420FDFF call 004144C7 =======>比较前五位,所以真码的前五位为"SI3US"
:00442443 85C0 test eax, eax
:00442445 7507 jne 0044244E =======>要跳
:00442447 33C0 xor eax, eax
:00442449 E9BD000000 jmp 0044250B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00442445(C)
|
:0044244E 8B45F8 mov eax, dword ptr [ebp-08]
:00442451 40 inc eax
:00442452 8945F8 mov dword ptr [ebp-08], eax
:00442455 8B45F8 mov eax, dword ptr [ebp-08]
:00442458 8945F0 mov dword ptr [ebp-10], eax
:0044245B 6A2D push 0000002D =======>"-"入栈
:0044245D FF75F8 push [ebp-08] =======>假码"123456-78901"入栈
:00442460 E82B460D00 call 00516A90 =======>检查是否含有"-"
:00442465 59 pop ecx
:00442466 59 pop ecx
:00442467 8945EC mov dword ptr [ebp-14], eax
:0044246A 837DEC00 cmp dword ptr [ebp-14], 00000000
:0044246E 7507 jne 00442477 =======>要跳
:00442470 33C0 xor eax, eax
:00442472 E994000000 jmp 0044250B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044246E(C)
|
:00442477 8B45EC mov eax, dword ptr [ebp-14]
:0044247A 802000 and byte ptr [eax], 00
:0044247D 8B45EC mov eax, dword ptr [ebp-14]
:00442480 2B45F0 sub eax, dword ptr [ebp-10]
:00442483 83F806 cmp eax, 00000006 ======>中间的注册码有6位
:00442486 7404 je 0044248C ======>要跳
:00442488 33C0 xor eax, eax
:0044248A EB7F jmp 0044250B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00442486(C)
|
:0044248C 8B45F0 mov eax, dword ptr [ebp-10]
:0044248F 8945E8 mov dword ptr [ebp-18], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004424B3(U)
|
:00442492 8B45E8 mov eax, dword ptr [ebp-18]
:00442495 0FB600 movzx eax, byte ptr [eax]
:00442498 8B4DF0 mov ecx, dword ptr [ebp-10]
:0044249B 0FB609 movzx ecx, byte ptr [ecx]
:0044249E 3BC1 cmp eax, ecx
:004424A0 7513 jne 004424B5
:004424A2 8B45E8 mov eax, dword ptr [ebp-18]
:004424A5 0FB600 movzx eax, byte ptr [eax]
:004424A8 85C0 test eax, eax
:004424AA 7409 je 004424B5
:004424AC 8B45E8 mov eax, dword ptr [ebp-18]
:004424AF 40 inc eax
:004424B0 8945E8 mov dword ptr [ebp-18], eax
:004424B3 EBDD jmp 00442492 ========判断注册码第二部分各位不全等
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004424A0(C), :004424AA(C)
|
:004424B5 8B45E8 mov eax, dword ptr [ebp-18]
:004424B8 0FB600 movzx eax, byte ptr [eax]
:004424BB F7D8 neg eax
:004424BD 1BC0 sbb eax, eax
:004424BF 40 inc eax
:004424C0 85C0 test eax, eax
:004424C2 7404 je 004424C8
:004424C4 33C0 xor eax, eax
:004424C6 EB43 jmp 0044250B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004424C2(C)
|
:004424C8 8B45EC mov eax, dword ptr [ebp-14]
:004424CB 40 inc eax
:004424CC 8945F4 mov dword ptr [ebp-0C], eax
:004424CF 8B7DF4 mov edi, dword ptr [ebp-0C]
:004424D2 83C9FF or ecx, FFFFFFFF
:004424D5 33C0 xor eax, eax
:004424D7 F2 repnz
:004424D8 AE scasb
:004424D9 F7D1 not ecx
:004424DB 49 dec ecx
:004424DC 83F905 cmp ecx, 00000005 =======>表示最后一部分注册码有五位,所以注册码格式为SI3US-******-*****
:004424DF 7404 je 004424E5 =======>要跳
:004424E1 33C0 xor eax, eax
:004424E3 EB26 jmp 0044250B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004424DF(C)
|
:004424E5 FF75F0 push [ebp-10] =======>假码第二部分"123456"入栈
:004424E8 E850E00A00 call 004F053D =======>关键call(2)
:004424ED 8945FC mov dword ptr [ebp-04], eax
======>"123456"变换码"168DB"=>[ebp-04]
:004424F0 FF75F4 push [ebp-0C] =======>假码第三部分"78901"入栈
:004424F3 E87A450D00 call 00516A72 =======>将"78901"转为十六进制"13435"
:004424F8 59 pop ecx
:004424F9 3945FC cmp dword ptr [ebp-04], eax====>这里关键比较,相等则注册成功
:004424FC 7404 je 00442502
:004424FE 33C0 xor eax, eax
:00442500 EB09 jmp 0044250B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004424FC(C)
|
:00442502 8B45EC mov eax, dword ptr [ebp-14]
:00442505 C6002D mov byte ptr [eax], 2D
:00442508 6A01 push 00000001
:0044250A 58 pop eax
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00442401(U), :00442421(U), :00442449(U), :00442472(U), :0044248A(U)
|:004424C6(U), :004424E3(U), :00442500(U)
|
:0044250B 5F pop edi
:0044250C C9 leave
:0044250D C20400 ret 0004
=====================================call(2)============================================
:004F053D 55 push ebp
:004F053E 8BEC mov ebp, esp
:004F0540 83EC10 sub esp, 00000010
:004F0543 FF7508 push [ebp+08]
:004F0546 E827650200 call 00516A72 =======>"123456"转换为十六进制"1E240"
:004F054B 59 pop ecx
:004F054C 8945F0 mov dword ptr [ebp-10], eax
:004F054F 8B45F0 mov eax, dword ptr [ebp-10]
:004F0552 8945FC mov dword ptr [ebp-04], eax
:004F0555 8365F400 and dword ptr [ebp-0C], 00000000
:004F0559 8B4508 mov eax, dword ptr [ebp+08]
:004F055C 8945F8 mov dword ptr [ebp-08], eax
:004F055F EB07 jmp 004F0568
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F059C(U)
|
:004F0561 8B45F8 mov eax, dword ptr [ebp-08]
:004F0564 40 inc eax
:004F0565 8945F8 mov dword ptr [ebp-08], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F055F(U)
|
:004F0568 8B45F8 mov eax, dword ptr [ebp-08] =======>"123456"==>eax
:004F056B 0FB600 movzx eax, byte ptr [eax] =======>依次取"123456"=>eax
:004F056E 85C0 test eax, eax
:004F0570 742C je 004F059E
:004F0572 8B45F8 mov eax, dword ptr [ebp-08]
:004F0575 0FB600 movzx eax, byte ptr [eax]
:004F0578 8B4DF4 mov ecx, dword ptr [ebp-0C] =======>ecx=0
:004F057B 33048DDC2F5600 xor eax, dword ptr [4*ecx+00562FDC]
1、31^96=A7==>eax
2、32^95=A7==>eax
3、33^10=23==>eax
4、34^23=17==>eax
5、35^7=32==>eax
6、35^15=23==>eax
